Question No: 1041 – (Topic 6)

Which of the following cryptographic related browser settings allows an organization to communicate securely?

SSL 3.0/TLS 1.0

3DES

Trusted Sites

HMAC

Answer: A Explanation:

Secure Sockets Layer (SSL) is used to establish a secure communication connection between two TCP-based machines. Transport Layer Security (TLS) is a security protocol that expands upon SSL. Many industry analysts predict that TLS will replace SSL in the future. TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As of February 2015, the latest versions of all major web browsers support TLS 1.0, 1.1, and 1.2, have them enabled by default.

Question No: 1042 – (Topic 6)

Which of the following algorithms has well documented collisions? (Select TWO).

AES

MD5

SHA

SHA-256

RSA

Answer: B,C Explanation:

B: MD5 biggest weakness is that it does not have strong collision resistance, and thus it is no longer recommended for use.

C: SHA-1 (also known as SHA) is being retired from most government uses; the U.S.

National Institute of Standards and Technology said, quot;Federal agencies should stop using SHA-1 for…applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010quot;, though that was later relaxed.

Note: The hashing algorithm must have few or no collisions. This means that hashing two different inputs does not give the same output.

Cryptographic hash functions are usually designed to be collision resistant. But many hash functions that were once thought to be collision resistant were later broken. MD5 and SHA- 1 in particular both have published techniques more efficient than brute force for finding collisions.

Question No: 1043 – (Topic 6)

The public key is used to perform which of the following? (Select THREE).

Validate the CRL

Validate the identity of an email sender

Encrypt messages

Perform key recovery

Decrypt messages

Perform key escrow

Answer: B,C,E Explanation:

B: The sender uses the private key to create a digital signature. The message is, in effect, signed with the private key. The sender then sends the message to the receiver. The receiver uses the public key attached to the message to validate the digital signature. If the values match, the receiver knows the message is authentic.

C: The sender uses the public key to encrypt a message, and the receiver uses the private key to decrypt the message.

E: You encrypt data with the private key and decrypt with the public key, though the opposite is much more frequent.

Public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic protocols based on algorithms that require two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked.

Question No: 1044 – (Topic 6)

Which of the following provides the HIGHEST level of confidentiality on a wireless network?

Disabling SSID broadcast

MAC filtering

WPA2

Packet switching

Answer: C Explanation:

The Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) authentication protocols were designed to address the core, easy-to-crack problems of WEP.

Question No: 1045 – (Topic 6)

Which of the following explains the difference between a public key and a private key?

The public key is only used by the client while the private key is available to all. Both keys are mathematically related.

The private key only decrypts the data while the public key only encrypts the data. Both keys are mathematically related.

The private key is commonly used in symmetric key decryption while the public key is used in asymmetric key decryption.

The private key is only used by the client and kept secret while the public key is available to all.

Answer: D Explanation:

The private key must be kept secret at all time. The private key is only by the client. The public key is available to anybody.

Question No: 1046 – (Topic 6)

Deploying a wildcard certificate is one strategy to:

Secure the certificate’s private key.

Increase the certificate’s encryption key length.

Extend the renewal date of the certificate.

Reduce the certificate management burden.

Answer: D Explanation:

A wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain. This saves money and reduces the management burden of managing multiple certificates, one for each subdomain.

A single Wildcard certificate for *.example.com, will secure all these domains: payment.example.com

Because the wildcard only covers one level of subdomains (the asterisk doesn#39;t match full stops), these domains would not be valid for the certificate:

test.login.example.com

Question No: 1047 – (Topic 6)

Due to hardware limitation, a technician must implement a wireless encryption algorithm that uses the RC4 protocol. Which of the following is a wireless encryption solution that the technician should implement while ensuring the STRONGEST level of security?

A. WPA2-AES

B. 802.11ac

WPA-TKIP

WEP

Answer: C Explanation:

WPA-TKIP uses the RC4 cipher.

TKIP and the related WPA standard implement three new security features to address security problems encountered in WEP protected networks. First, TKIP implements a key mixing function that combines the secret root key with the initialization vector before

passing it to the RC4 initialization. WEP, in comparison, merely concatenated the initialization vector to the root key, and passed this value to the RC4 routine. This permitted the vast majority of the RC4 based WEP related key attacks. Second, WPA implements a sequence counter to protect against replay attacks. Packets received out of order will be rejected by the access point. Finally, TKIP implements a 64-bit Message Integrity Check (MIC)

To be able to run on legacy WEP hardware with minor upgrades, TKIP uses RC4 as its cipher. TKIP also provides a rekeying mechanism. TKIP ensures that every data packet is sent with a unique encryption key.

Question No: 1048 – (Topic 6)

Company employees are required to have workstation client certificates to access a bank website. These certificates were backed up as a precautionary step before the new computer upgrade. After the upgrade and restoration, users state they can access the bank’s website, but not login. Which is the following is MOST likely the issue?

The IP addresses of the clients have change

The client certificate passwords have expired on the server

The certificates have not been installed on the workstations

The certificates have been installed on the CA

Answer: C Explanation:

The computer certificates must be installed on the upgraded client computers.

Question No: 1049 – (Topic 6)

Which of the following would Matt, a security administrator, use to encrypt transmissions from an internal database to an internal server, keeping in mind that the encryption process must add as little latency to the process as possible?

ECC

RSA

SHA

3DES

Answer: D Explanation:

3DES would be less secure compared to ECC, but 3DES would require less computational power.

Triple-DES (3DES) is a technological upgrade of DES. 3DES is still used, even though AES is the preferred choice for government applications. 3DES is considerably harder to break than many other systems, and it’s more secure than DES. It increases the key length to 168 bits (using three 56-bit DES keys).

Question No: 1050 – (Topic 6)

In which of the following scenarios is PKI LEAST hardened?

The CRL is posted to a publicly accessible location.

The recorded time offsets are developed with symmetric keys.

A malicious CA certificate is loaded on all the clients.

All public keys are accessed by an unauthorized user.

Answer: C Explanation:

A rogue Certification Authority (CA) certificate allows malicious users to impersonate any Web site on the Internet, including banking and e-commerce sites secured using the HTTPS protocol. A rogue CA certificate would be seen as trusted by Web browsers, and it is harmful because it can appear to be signed by one of the root CAs that browsers trust by default. A rogue Certification Authority (CA) certificate can be created using a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure Web sites.